Feds Counter Apple's Arguments Over iPhone 'Backdoor'

In a filing rebutting Apple's appeal of a court order requiring the company to help the FBI unlock the iPhone used by a shooter in the San Bernardino massacre, the Justice Department says Apple's rhetoric is "false" and "corrosive" to the institution that safeguards Americans' liberties and rights.

"The rule of law does not repose that power in a single corporation, no matter how successful it has been in selling its products," the Justice Department said in a 35-page motion filed March 10 with the U.S. District Court for the Central District of California.

DOJ, in its filing, says its request that Apple help the FBI to unlock the iPhone is a modest one that allows Apple to choose the least burdensome means to comply. It's a narrow, targeted order that will produce a narrow, targeted piece of software capable of running on just one iPhone in the security of Apple's headquarters, the DOJ argues.

"Apple deliberately raised technological barriers that now stand before a lawful warrant and an iPhone containing evidence related to a terrorist mass murder of 14 Americans," the senior law enforcement official said. "Apple, alone, can remove those barriers so the FBI can search the phone. They can do so without undue burden. Under those specific circumstances, Apple can be compelled to give aid. That is not lawless tyranny; rather it's ordered liberty vindicating the rule of law."

Apple Responds

Apple General Counsel Bruce Sewel says the tone of the government brief reads "like an indictment," adding that in his 30 years as a lawyer he had never "seen a legal brief that was more intended to smear the other side with false accusations and innuendo," according to media reports of a Thursday conference call with reporters.

Sewell said a number of the government's charges were groundless, including one that suggests that Apple's relationship with the Chinese government is different from ones with other countries. Government lawyers, he said, are "so desperate at this point that it has thrown all decorum to the winds."

The government, in its filing, says: " Apple appears to have made special accommodations in China as well: for example, moving Chinese user data to Chinese government servers, and installing a different WiFi protocol for Chinese iPhones. ... Such accommodations provide Apple with access to a huge, and growing, market."

U.S. Magistrate Judge Sheri Pym on Feb. 16 ordered Apple to assist the FBI by updating the iPhone to disable security features designed to wipe its memory or slow passcode entry to block brute-force attacks. Pym issued her order using the All Writs Act of 1789, which gives a judge the ability to issue court orders for matters not covered under current law (see Apple, FBI Draw Lines in Crypto Battle).

Focus on a Single iPhone

The Justice Department has framed its request as being limited to only unlocking a single phone: an iPhone 5C issued to Calif.-based Rizwan Farook, 29, by his employer, San Bernardino County. Farook and his wife Tashfeen Malik, 29, attacked Farook's work colleagues in a December shooting spree that left 14 people dead and 22 wounded. The government has also cited a legal precedent, recently noted by George Washington University law professor Orin Kerr, that it can force a suspect to help it crack an encryption scheme, in the form of the 1807 treason trial of Aaron Burr, when his clerk was compelled to decrypt a letter.

Year when the US Govt first tried (and succeeded) forcing 3rd party to help crack suspect's encryption scheme: 1807, in the Aaron Burr case.

In an impassioned Feb. 17 letter, Apple CEO Tim Cook said that Apple would fight the "dangerous" court order. "We have no sympathy for terrorists," he said. "But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."

Citing Supreme Court decisions, the DOJ reiterated earlier arguments that it can use the All Writs Act to compel Apple to comply with the court order. Apple, however, has argued that the All Writs Act would subvert Congressional powers.

Apple contends creating special software to help circumvent the iPhone's password protection would also be burdensome, a point the government dismisses. The filing cites Apple as asserting it would take six to 10 employees two to four weeks to develop new code in order to carry out the court's order. "Even taking Apple at its word, this is not an undue burden, especially given Apple's vast resources and the government's willingness to find reasonable compromises and provide reasonable reimbursement," the filing says.

Disarming a Booby Trap

One argument advanced by Apple and its supporters in the technology community is that if it creates a password workaround to gain access to the iPhone, the code could get into the hands of potential hackers, stolen by spies, or taken to another firm by the engineers who worked on the project.

But the government attempts to dismiss this point. The filing says Apple needn't share the code with the government, adding that the company has shown it's capable of protecting code that could compromise its security.

"Even if criminals, terrorists and hackers somehow infiltrated Apple and stole the software necessary to unlock Farook's iPhone, the only thing that software could be used to do is unlock Farook's iPhone," the filing said. "Far from being a master key, the software simply disarms a booby trap affixed to one door: Farook's."

Security, Crypto Experts Respond

Some security experts, however, have questioned the government's claim that it's not trying to set a precedent with this new case, or that it's only about one device. Indeed, as Nicholas Weaver, a researcher at the International Computer Science Institute and the University of California at Berkeley, has noted, the entire U.S. legal system is based on precedent.

How can the DOJ with a straight face say this is only about the case at hand, in a court system which runs on precedent?

Cryptographer Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, likewise said the Justice Department is attempting to set a dangerous precedent that allows it to seize any code created by U.S. software developers, which in this case would be the cryptographic code that Apple uses to sign iOS updates, without which devices won't run the code. Alternately, the DOJ's filing warns, it will compel Apple's developers to write code that performs to the government's specifications - no matter the potential repercussions.

But many legal experts have said that attempting to compel developers to write code would likely violate their and Apple's First Amendment rights.

I miss the days when all we had to worry about was an infinite parade of software vulns. Governments commandeering signing keys is too much.

Meanwhile, iOS security expert Jonathan Å¹dziarski said that DOJ would likely already have attempted to seize Apple's signing code and write the update itself, but that it likely lacks developers that possess the requisite - highly specialized - programming skills that would be required.

This is the only reason .gov hasn't seized Apple's signing keys: they admit they wouldn't know how to use them. pic.twitter.com/1Op5UkQAsq

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;